error_log logs/error.log debug; events { } http { proxy_cache_path cache/ keys_zone=auth_cache:10m; upstream backend { server 127.0.0.1:9000; } server { listen 127.0.0.1:8080; server_name localhost; # Protected application location / { auth_request /auth-proxy; # redirect 401 and 403 to login form error_page 401 =200 /login; error_page 403 =200 /login; proxy_pass http://backend/; } location /login { proxy_pass http://backend/login; # login service will return a redirect for user to original URI # and set cookie for auth daemon proxy_set_header X-TARGET $request_uri; } location = /auth-proxy { internal; # (Required) Set the IP address where the authentication daemon # is running, by replacing '127.0.0.1' with the appropriate # value. The authentication daemon listens on port 8888 as # configured in the Python script. proxy_pass http://127.0.0.1:8888; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_cache auth_cache; proxy_cache_valid 200 403 10m; # The following directive adds the cookie to the cache key proxy_cache_key "$http_authorization$cookie_nginxauth"; # The auth daemon in the reference implementation communicates # with an OpenLDAP server, passing in the following parameters # to specify which user account to authenticate. To eliminate the # need to modify the Python code, this file contains # 'proxy_set_header' directives that correspond to the parameters. # Set or change them as instructed in the comments. # # Parameter Proxy header # ----------- ---------------- # basedn X-Ldap-BaseDN # binddn X-Ldap-BindDN # bindpasswd X-Ldap-BindPass # cookiename X-CookieName # realm X-Ldap-Realm # template X-Ldap-Template # url X-Ldap-URL # (Required) Set the URL and port for connecting to the LDAP server, # by replacing 'example.com' and '636' with the appropriate values. proxy_set_header X-Ldap-URL "ldaps://example.com:636"; # (Required) Set the Base DN, by replacing the value enclosed in # double quotes. proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local"; # (Required) Set the Bind DN, by replacing the value enclosed in # double quotes. proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local"; # (Required) Set the Bind password, by replacing 'secret' proxy_set_header X-Ldap-BindPass "secret"; # (Required) The following directives set the cookie name and pass # it, respectively. They are required for cookie-based # authentication. Comment them out if using HTTP basic # authentication. proxy_set_header X-CookieName "nginxauth"; proxy_set_header Cookie nginxauth=$cookie_nginxauth; # (Required if using Microsoft Active Directory as the LDAP server) # Set the LDAP template by uncommenting the following directive. #proxy_set_header X-Ldap-Template "(SAMAccountName=%(username)s)"; # (Optional if using OpenLDAP as the LDAP server) Set the LDAP # template by uncommenting the following directive and replacing # '(cn=%(username)s)' (the default set in the Python script): #proxy_set_header X-Ldap-Template "(cn=%(username)s)"; # (Optional) Set the realm name, by uncommenting the following # directive and replacing 'Restricted' (the default set in the # Python script). #proxy_set_header X-Ldap-Realm "Restricted"; } } }